Search code examples
google-cloud-platformgoogle-cloud-firestoregoogle-cloud-datastoregoogle-cloud-iam

Google Cloud Datastore and service accounts: limit access permissions

Background

I have a Google Cloud Project with:

  • Datastore (Firebase mode)
  • 2 Service accounts

I have two application that using those service accounts. Each application is using different kind (kind1 and kind2).

I looking for a way to limit the access of:

  • Service account 1 to kind1 only
  • Service account 2 to kind2 only

Questions

  1. How to do it?
  2. Is this possible to define permission, like readonly or writeonly? So, even if service account have permission to specific kind, still he can do limited operation on this kind?
Solution

  • There is no such permissions or roles in GCP to limit access to datastore per kind. Your only way to do this is to control it on your backend application service(Nodejs, Python ...etc).

    Consult the full permission list for datastore here[1]

    [1]https://cloud.google.com/datastore/docs/access/iam#iam_roles